gnupg1: digest-preference not honoured
Closed, ResolvedPublic

Description

Hi, a posting of B. Reiter and the linked c't article made me look into the packets of my key, and i found it my gpg v1.4.2? made key uses digest algo 2 despite that not being in personal-digest-preferences.

Even if i strip down personal- to only include SHA512 it will never be shown as list header by showpref, and the "expire trick" will not change the actually used digest of my key.

Is this "wontfix" and now "you really have to go gpg v2".
Or not?
Thank you.

sdaoden created this task.May 13 2019, 6:30 PM
werner added a subscriber: werner.May 13 2019, 6:49 PM

No, personal-digest-preferences are not used to select a digest algorithm for key signatures. The only way to use a different digest-algorithm than select by gpg is by using --cert-digest-algo. But take care, you can easily cut into your fingers when using such override options.

GnuPG 1.4 uses SHA-1 to create key signatures and that is unlikely to change because 1.4 is a fallback solution to process exist000ing data created with PGP 2 keys or without the MDC feature. You should never ever create or modify a current key using that tool. The next maintenance release will emphasize on this by printing a bold warning if you try.

Regarding the "expire" or "set-primary" trick: My comment on heise.de was wrong - I overlooked that these two commands try to keep most properties of an old signature; including the digest algorithm :-(. This will be changed with the next GnuPG release to forcefully switch to SHA-256 if SHA-1 or RMD160 was used.

How a digest algorithim is selected for a key signature

Key signatures, which are self-signatures to bind a subkey or user-id to a key or 3rd part certifications of a user id, are created by gpg with a digest algorithm selected this way:

  1. If the option --cert-digest-algo is used, the given algorithm is used regardless on whether this makes sense or is possible by the underlying public key algorithms. A wrong specification may lead to all kind of errors. Thus this option should in almost all cases not be used.
  2. If a DSA or ECDSA public key algorithj is used, the required digest algorithm is selected. For example a 1024 bit DSA key requires a SHA-1 signatures, a 2048 bit DSA key requires SHA-256. All ECC algorithms use a SHA-2 algorithm.
  3. The default algorithm is used. This means the use of SHA-256 in the default compliance mode (explicit with option --gnupg or --compliance=gnupg) or with --compliance=de-vs. In the various OpenPGP compliance modes (--rfc2440, --rfc4880, --openpgp, etc), SHA-1 is used due to the requirements out of the RFC.

The above is valid for the current stable GnuPG versions (>= 2.1). For GnuPG 1.4 the same algorithm is used but for compatibility with other OpenPGP implementations the default digest algorithm (for RSA) is still SHA-1.

werner triaged this task as High priority.May 13 2019, 6:53 PM
werner added a project: gnupg (gpg22).

I keep this open to track the mentioned change for gnupg 2.2

Oh, ah. Ok. I do not read c't no more since about 2005. They are busy people and lead into the right direction.

Thank you for the investigative context information.

(Yes, it is RSA-4096 here. (I do not really care as i cannot, not being a mathematician, and RSA-4096 was advocated in the FreeBSD manual already in the FreeBSD time frame 4.7-5.3.)

werner closed this task as Resolved.May 15 2019, 8:55 AM
werner claimed this task.